India’s mobile banking guidelines - who wins and who loses?

by Kabir Kumar: Wednesday, October 8, 2008

I have been tracking the mobile banking/branchless banking space in India for a few years - since the business correspondent guidelines were issued. India drafted those guidelines in the spirit of significantly ramping-up access to finance for poor people. The guidelines put Indians in the lead on branchless banking regulation in the South Asia region. Two years have passed and we have yet to see those guidelines translate into a dramatic change in the access to financial services picture in India. There are new companies and more experimentation with correspondents and innovative solution providers but banks have simply not been aggressive about pursuing branchless channels.

The Reserve Bank of India issued final mobile banking guidelines on Wednesday and banks are again front and center. Should we expect these guidelines to dramatically alter the picture of financial access in India? Are the unbanked winners or losers? Well….

The guidelines permit only licensed banks with a physical bank presence in India to launch mobile banking. The service should be available to their customers regardless of their cell phone service. Only domestic Indian rupee transactions are permitted and are capped at Rs. 5000/ (US$104) per customer per day for funds transfer and Rs.10,000/ (US$208) per customer per day for transactions involving purchase of goods/services. Customers have to open accounts in person but the RBI may make an exception for remote account opening in some circumstances. The guidelines also go further than most other countries in identifying customer protection issues.

These guidelines make for some clear winners and losers. Those are briefly discussed below. The unbanked, however, remain unharmed and un-helped. The unbanked remain un-helped because a mobile wallet service from a mobile operator would have surely reached more people faster. Millions could have had a mobile wallet account for transfers and payments.

The unbanked remain unharmed because barriers to account opening for the undocumented unbanked in India will remain the same. These guidelines don’t change that. The guidelines state that banks need to ensure that customers are physically present which the makes it as hard as it has always been for customers who are far from the reach of any banking infrastructure. Exceptions to this physical presence rule are permitted but it is unclear exactly how banks would exercise that. Moreover, the unbanked are going to be new customers for banks anyway and banks are typically more conservative on due-diligence on customers at a/c opening than even the regulator.

Winners

1. Banks. RBI’s preference for banks over mobile network operators for mobile banking is well known so restricting the service to just licensed banks and bank account holders (or card holders) should not come as a surprise. Banks benefit over mobile network operators but they are not as aggressive when it comes to going after new markets and it is unclear if they will seize the opportunity they now have.

2. Third party providers who sit between banks and mobile network operators. These are the agent network operators and those best placed to negotiate with all telecom companies on behalf of banks. The guidelines state that banks offering mobile banking service must ensure that customers having mobile phones of any network operator are in a position to avail of the service. The guidelines also say that banks should “endeavor” to have end-to-end security. SIM-based application is the most secure end-to-end (information gets encrypted on the phone before transmittal and remains encrypted during) but negotiating those individual arrangements with each operator that controls the SIM is going to be a nightmare. That requirement of interoperability means third party providers who have previous experience as USSD gateway operators, for instance, are likely to be in the most favorable position.

Moreover, some banks may just go with a white label service of some kind. Banks that care little about having their own brand associated with the service and more about the float may just go with a model where they can simply plug into a white label service that has already established relationship with operators and others.

3. Internet banking. By requiring physical presence for account opening, the guidelines give mobile banking a crippled start in the Indian market. If banked customers are already using internet banking, why would they go through the hassle of visiting a physical branch to open a mobile bank. The transaction caps are higher than what RBI had originally proposed in an earlier draft but probably not enough for many banked customers to make the mobile channel their primarily channel for remote bill payments and transfers. Interoperability with all mobile operators is also likely to slow down the time to market for mobile banking services.

4. Operator interoperability. If banks that can take out a service that works for customers of any mobile operators, then it is good news for customers. Interoperability will slow down the time to market but ultimately clients will benefit.

Losers

1. Mobile network operators. No M-Pesa or G-cash in India, at least until RBI issues new guidance on e-money. Both of those services are not backed by a bank account in the customer’s name. Industry view is that RBI is less likely to act on e-money in the near future. As a result, mobile operators lose out on the float and are largely reduced to being either pipes or service providers that can host the account information on behalf of banks. Mobile operators could still negotiate on branding and we should not rule out a SMART money type service where SMART telecom in the Philippines provides account hosting and secure communication services to multiple banks.

2. SMS. The guidelines state that technology requirements are “indicative” and banks should “endeavor” to secure end-to-end encryption. As a result, it would not be far fetched to expect that banks, at a bare minimum, will avoid the least secure service, i.e., SMS based. That is not necessarily bad news from a usability perspective. SMS-based services are cumbersome to use anyway, especially people who have low levels of education. RBI is requiring interoperability (customers of any mobile operator) and application based security. Banks may be thinking about how they can get most bang for the buck and seek out exceptions from RBI. USSD is more secure than SMS but less than SIM-based application (more discussion on that here…). But it is easier to launch an interoperable USSD-based service than SIM-based one. USSD-based service should also be cheaper.

Geography: South Asia India

Topic: Agents, Banks, Financial Literacy, M-PESA, Microfinance, Mobile Banking, Mobile Phones, Rural, Telecom

Type: News

Comments: Comments and trackbacks are open.

10 Comments RSS 2.0

  1. October 9th, 2008 at 6:35 am, Anupam ()

    While it is good that the RBI has taken a ‘customer safeguarding’ approach, you are right in saying that a lot more could be done to link the cause of Financial Inclusion with the opportunity of Mobile Banking.

    Large scale financial inclusion is about balancing ‘risk perception’ with ‘increasing degrees of freedom’ for all the players involved. RBI has made a good first move, it must be viewed as just a cautious start. But this is a welcome move that lays the ground-rules for companies like Eko (www.eko.co.in), where I work, to roll out their initiatives.

  2. October 11th, 2008 at 7:07 pm, Will RBI’s Guidelines for Mobile Banking Transactions in India Help the Unbanked at the Bottom of the Pyramid? | Gauravonomics Blog ()

    [...] 6 6 India’s mobile banking guidelines - who wins and who loses?, Kabir Kumar, CGAP, October 8, [...]

  3. October 22nd, 2008 at 1:12 am, Shumit ()

    Kabir,

    Great post!!!

    My thought is that the restrictions on the Rs.5000 per customer for fund transfer and Rs.10,000 for mobile purchases is allright in the context of an area like Tanjore (rural India). When people make purchases for say Rs.10,000. I feel that this restriction will not affect people in rural areas and people who are at the bottom or the pyramid.

    SMS is a preferred mode of communication is most of the country. GPRS still does not function very well and ruling out SMS (although not explictly said yet) could totally hamper the user experience.

    Thanks,
    Shumit

  4. October 23rd, 2008 at 6:19 am, Shumit ()

    Kabir,

    A few more thoughts

    Regulation 1: The RBI guidelines, by implication, say that only banks can offer mobile transaction services. The guidelines say this service can be offered only to customers of banks and/or holders of debit/credit cards. Document-based registration is called for, with the mandatory physical presence of the customer, before mobile services are offered. The banks are responsible for ensuring Know Your Customer norms, and must have core banking systems in place.

    Several MFIs today act as a business correspondent (BC) (agents who work on behalf of banks) for commercial banks to reach areas where opening a bank branch is not viable. Usually at the business correspondent’s office, a bank representative is present who oversees the enrolment of clients and ensures that the KYC requirements are complied with. The bank through a BC can enroll clients, the clients can be served by the bank using mobile banking thus fulfilling the objective and the spirit of financial inclusion

    Regulation 2: The RBI’s guidelines call for a two-factor authentication for validation of a customer. The industry has reacted to this by interpreting that two-factor authentication can be supported only by GPRS and not through SMS. Media has also criticized RBI by saying that the new mobile banking regulations such as the two factor authentication do not facilitate financial inclusion since basic mobile phones owned by majority of people in rural India do not support GPRS.

    Secure transactions can happen even via SMS. SMS’es are of two types – Normal and Encrypted SMS. Normal SMS is what we use for day-to-day communication and is not secure. The SMS is not encrypted when it passes through the pipe it can be accessed. On the other hand, an encrypted SMS is converted into non-readable text using a RSA / AES (security) algorithm. The text that can be encrypted are numbers from 1-9, capital letters from A-Z and small letters from a-z. Special characters cannot be encrypted. When the bank client sends a sms from his phone to the server, a sms along with an encrypted key is sent to the server. If the encryption algorithm is strong enough, it is not possible to read the SMS. The server then decrypts (opens) the encrypted key using a RSA encryption algorithm. This technology is perfectly secure and GPRS is not mandatory. Not many phone users in India subscribe to GPRS and even fewer have phones that can support GPRS. Around 60 percent of the 306 million handsets or mobile connections in India are without GPRS and WAP. Due to lack of GPRS connectivity, Smart Trust applications, securea SMS based applications will be the prominent atleast in the initial years of mobile banking.

  5. October 23rd, 2008 at 6:19 am, Shumit ()

    Kabir,

    A few more thoughts

    Regulation 1: The RBI guidelines, by implication, say that only banks can offer mobile transaction services. The guidelines say this service can be offered only to customers of banks and/or holders of debit/credit cards. Document-based registration is called for, with the mandatory physical presence of the customer, before mobile services are offered. The banks are responsible for ensuring Know Your Customer norms, and must have core banking systems in place.

    Several MFIs today act as a business correspondent (BC) (agents who work on behalf of banks) for commercial banks to reach areas where opening a bank branch is not viable. Usually at the business correspondent’s office, a bank representative is present who oversees the enrolment of clients and ensures that the KYC requirements are complied with. The bank through a BC can enroll clients, the clients can be served by the bank using mobile banking thus fulfilling the objective and the spirit of financial inclusion

    Regulation 2: The RBI’s guidelines call for a two-factor authentication for validation of a customer. The industry has reacted to this by interpreting that two-factor authentication can be supported only by GPRS and not through SMS. Media has also criticized RBI by saying that the new mobile banking regulations such as the two factor authentication do not facilitate financial inclusion since basic mobile phones owned by majority of people in rural India do not support GPRS.

    Secure transactions can happen even via SMS. SMS’es are of two types – Normal and Encrypted SMS. Normal SMS is what we use for day-to-day communication and is not secure. The SMS is not encrypted when it passes through the pipe it can be accessed. On the other hand, an encrypted SMS is converted into non-readable text using a RSA / AES (security) algorithm. The text that can be encrypted are numbers from 1-9, capital letters from A-Z and small letters from a-z. Special characters cannot be encrypted. When the bank client sends a sms from his phone to the server, a sms along with an encrypted key is sent to the server. If the encryption algorithm is strong enough, it is not possible to read the SMS. The server then decrypts (opens) the encrypted key using a RSA encryption algorithm. This technology is perfectly secure and GPRS is not mandatory. Not many phone users in India subscribe to GPRS and even fewer have phones that can support GPRS. Around 60 percent of the 306 million handsets or mobile connections in India are without GPRS and WAP. Due to lack of GPRS connectivity, Smart Trust applications, securea SMS based applications will be the prominent atleast in the initial years of mobile banking.

    Thanks,
    Shumit Vatsal

  6. October 28th, 2008 at 12:20 am, Sanjay Swamy ()

    Hi Kabir

    Looking at it from the Indian context, I think the RBI has done absolutely the right thing - the mobile phone provides banks with an opportunity to bring customers into the banking fold with a lower cost to serve, and RBI is keen to ensure that the banks to get the most of this opportunity. They have chosen not to look at short-term gains and do things in a structured manner with long-term benefits in mind.

    The long-term objective here is to bring people into the banking fraternity - plain and simple. Telcos play a key role in this - but the responsibility and ownership and guarantee of funds lies absolutely with the bank.

    The fact that one model has been successful in Kenya or Philippines is encouraging, but the sheer scale at which India would need to operate means we have to think differently - the long-term effect of allowing non-banks to take consumer deposits are unknown.

    The only scalable model is to keep the customer ownership of the float and the responsibility of guarantee of funds with the banks - this also ensures the long-term benefit of upgrading a user to a full bank account.

    As far as technology platforms go - as Shumit points out - SMS can definitely be encrypted with 128-bit strength algorithms like 3DES, with a Java phone or SIM card application (the latter on the lowest-end handsets)

    As far as reaching out to the masses, already we have Airtel shipping the mChek secure application to several Million SIM cards every month - this is a significant step forward in the industry. Similar initiatives with others will ensure that, over a 24-36 month period, most households will have mobile phones with banking-grade secure applications, and mobile banking can be enabled Over-The-Air.

    The banking fraternity would gladly take this equation - and the roles of the banks, Telcos and intermediaries will continue to remain the same.

    RBI, in my mind, has intelligently combined the right balance of conservativeness and innovation in a manner that takes into account the scale in India - while leaving the door open for tweaking the guidelines over time, as initial results validate the theories.

    Sanjay

  7. January 19th, 2009 at 3:51 am, Anand ()

    Hi All,

    Can anyone comment on the challenges in mobile banking in the rural India? SMS is a very good medium as suggested above, but is there any data available as to what is the educational background of the people using mobile banking, their levels of technology acceptance etc.
    If anyone can help me on these issue, please comment.
    Thanks a lot,
    Regards,
    Anand

  8. July 27th, 2009 at 8:55 am, manish ()

    Can u please throw light on what should one interpret when RBI says that only bank with Physical presence can offer Internet Banking & Mobile Banking Services in india. Does it mean that the bank should have branch everywhere or a Head Quarter office will do. I ask because if they want branches all over, then there is no point saying that mobile banking & internet banking will lead ot financial inclusion.

  9. January 13th, 2010 at 11:09 am, vijay ()

    SMS is a powerful tool used mostly by youths or those who are keypad aware; targeted audience is not comfortable with Address-Number books in mobile phones, sms is not a tool for mass market, they may receive offer SMS n read it but sending every now n then will definitely be an barrier for sure

  10. June 24th, 2010 at 7:51 am, Banking on Trust | The Prepaid Economy Blog ()

    [...] include as inclusive initiatives as M-Pesa. It seems that this is partly because the RBI approved banks over mobile network operators to conduct services. The resulting offerings haven’t effectively reduced barriers for the [...]

Leave a Reply